@dafyre said in Fedora Powerloss:

@thwr said in Fedora Powerloss:

@dafyre said in Fedora Powerloss:

@scottalanmiller said in Fedora Powerloss:

@dafyre said in Fedora Powerloss:

@scottalanmiller said in Fedora Powerloss:

@thwr said in Fedora Powerloss:

@scottalanmiller said in Fedora Powerloss:

@emad-r said in Fedora Powerloss:

@mattbagan said in Fedora Powerloss:

sume, I would need to start over with the vm installs, considering they were in the middle of installing the OS. Host machine is setup with mdadm raid.

check the file system for errors + scrub the raid array if you are paranoid

XFS doesn't even have a filesystem check utility 🙂

xfs_check
http://docs.cray.com/books/S-2377-22/html-S-2377-22/z1029470303.html

Does it actually do something? XFS famously does a placebo check.

Yes, it actually does something. It's fixed a couple of systems here for me that wouldn't mount a data drive.

Interesting. With XFS?

Yepp. I know the system is XFS. I'm trying to get connected to it now, but it lost it's AD connection and I don't have a local login on it, lol.

Can't you boot the machine using some LiveCD and alter the PAM order / add pam_unix/pam_localuser? You could also change root's password this way. This only works if the drive is not encrypted or you have the key.

Yeah, I could do that, but I like my job, lol. In an emergency that's what we do, but this isn't an emergency (the system is up, my login isn't working).

If you say so 😉

@stacksofplates said in If all hypervisors were priced the same...:

@storageninja said in If all hypervisors were priced the same...:

@stacksofplates said in If all hypervisors were priced the same...:

Also, decisions are often more nuanced than simple TCO decisions. If you have compliance requirements this often shifts to commercial solutions that have validated FIPS 140-2 modules/solutions. If you need a DISA STIG at a given level paying some money and being able to deploy a single VIB to harden compliance vs. go through checklists and argue with auditors can be a big deal. How do you quantify the cost of applying with NIST for validation with a do it yourself setup vs. a turnkey solution?

RHEL/RHV have a good solution here. Auditors go through OpenSCAP scans with nice HTML reports and we justify any “failures.” It’s a pretty nice system.

That just audits if it was set. What I'm talking about is a single package you deploy that goes ahead and sets the configuration settings up for you.

On ESXi you can use Update Manager to track compliance with the DISA VIB, and use that for tracking it. Just attach as a baseline to your clusters and let Update Manager keep it up to date. Ed Groggin I think has a tool that will do an auto-generation of a report on the hardening guidelines.

Looking online, I'm not seeing Server 2016 in STIG viewer yet. Has Microsoft not gotten a STIG out yet?

Also Redhat Virtulization licensing cost as much (or more) than vSphere Standard. At that point if you don't need/want Redhat support VMware looks a lot more attractive. Oddly the only STIG for Suse I'm seeing is for Z series.

Well yes and no. They have built in remediations with OpenSCAP, so you can have it auto remediate your machine. We ran an auto remediate to get the correct settings and then pushed it all out with Ansible since we can apply specific rules or not based on the type of machine since they are all RHEL based (workstations, servers, hypervisors, etc). We don’t use RHV, but they have a subset of rules for RHV which is why I mentioned it. We use bare KVM for systems and it works out pretty well. Ya I’m not sure about 2016 but I wouldn’t be surprised seeing how slow they are.

The remediations are in Bash, Ansible, and I think Puppet? Anyway I have written a few of the Ansible remediations for them and have had them pulled into the project.

Ya I also pretty much use Virt-Manager/Virsh. I have a bare KVM server and an OpenStack box. I pretty much use Ansible/Terraform to spin up new instances on OpenStack.

@matteo-nunziati said in Help me understand KVM Networking:

@stacksofplates said in Help me understand KVM Networking:

@wirestyle22 said in Help me understand KVM Networking:

@black3dynamite said in Help me understand KVM Networking:

@stacksofplates said in Help me understand KVM Networking:

Too bad ovs isnt in the repos for RHEL/CentOS. You can set up these private networks and connect them through a VXLAN with ovs. That way you can have something like a separate dev network on the same hosts and they can communicate between hosts.

Not available in the epel repo?

That is apparently the case unless my google--fu isn't up to snuff

Nope. It is available in Fedora though. If you want to install it you have to manually build the RPMs. While not hard to build it would be a pain to maintain updates.

OVS is used by oVirt so maybe the centos ovirt repo has it (or the ovirt stable repo)

I'm assuming it's just building the RPM since it's not in the normal repo.

http://resources.ovirt.org/pub/ovirt-4.2/

@fateknollogee said in Fedora 27: Kernel upgrade to 4.14.8-300....no boot:

@black3dynamite said in Fedora 27: Kernel upgrade to 4.14.8-300....no boot:

@fateknollogee said in Fedora 27: Kernel upgrade to 4.14.8-300....no boot:

Server is Lenovo RD640
o/s: Fedora 27
installed kernel: 4.13.9.300

Tried upgrading to 4.14.8-300...the system gets to the grub screen where I can see both available kernels...screen goes black...after waiting a few minutes, I ctrl-alt-del, reboot, choose 4.14..9-300

Anyone have a Lenovo server with upgraded kernel?

I've experienced the boot issue while using 4.14.11, I had to turn off Kernel Page Table Isolation (KPTI).

What flavor of hardware?

On my very old lab server running Hyper-V 2012 R2.
Hardware: PowerEdge 2950
CPU: Intel Xeon E5430
VM: Fedora 27

@fateknollogee said in KVM host: Failed login attempts:

My bad, my bad....
Last week I was doing some testing & I set a port forward on port 22 to this host.
Ooops, I forgot to remove the rule.

This is why I only allow RSA key based authentication. No root login, no password login. Disable all other methods.

@fateknollogee said in how do I migrate my KVM settings to a new desktop:

Can you "virsh dumpxml vmname" while the vm is running?

Yes.

@emad-r said in FOSS VPS Options (or VirtKick alternative):

@stacksofplates said in FOSS VPS Options (or VirtKick alternative):

Why not just use OpenStack?

I didnt know it had this functionality, I thought it was like vCenter.

Do you have screenshots on how the clients see the panel ?
do you know easy guide to set it up with KVM centos 7 ?
Does it support billing ?

Created a demo user. You get whatever resources are assigned to that user/group.

0_1513458428144_os.png

This is an all-in-one setup for a home lab. If you do this the right way you probably won't be managing it yourself. It uses KVM on CentOS (or Xen is possible on other platforms).

There is no billing directly through OpenStack, but it provides the info for that. Usage is tracked for all projects. You can set up billing through something like Cloudforms (ManageIQ). It doesn't look like Vmango does anything related to billing at all.

However, to be frank, are you really going to be charging customers to run a VPS on a single host?

Kimchi Screenshot Tour:

23_1513416848168_2017-12-16 11_32_41-Wok.png 22_1513416848168_2017-12-16 11_32_33-Wok.png 21_1513416848168_2017-12-16 11_32_26-Wok.png 20_1513416848168_2017-12-16 11_32_21-Wok.png 19_1513416848168_2017-12-16 11_32_12-Wok.png 18_1513416848167_2017-12-16 11_32_07-Wok.png 17_1513416848167_2017-12-16 11_31_59-Wok.png 16_1513416848167_2017-12-16 11_31_55-Wok.png 15_1513416848167_2017-12-16 11_31_38-Wok.png 14_1513416848167_2017-12-16 11_31_26-Wok.png 13_1513416848166_2017-12-16 11_31_21-Wok.png 12_1513416848166_2017-12-16 11_31_18-Wok.png 11_1513416848166_2017-12-16 11_31_12-Wok.png 10_1513416848165_2017-12-16 11_31_05-Wok.png 9_1513416848165_2017-12-16 11_30_49-Wok.png 8_1513416848162_2017-12-16 11_30_59-Wok.png 7_1513416848162_2017-12-16 11_33_31-Wok.png 6_1513416848162_2017-12-16 11_33_25-Wok.png 5_1513416848162_2017-12-16 11_33_15-Wok.png 4_1513416848161_2017-12-16 11_33_02-Wok.png 3_1513416848161_2017-12-16 11_32_51-Wok.png 2_1513416848161_2017-12-16 11_32_48-Wok.png 1_1513416848161_2017-12-16 11_32_44-Wok.png 0_1513416848159_2017-12-16 11_32_38-Wok.png

0_1513417013975_2017-12-16 11_35_13-noVNC.png

@dustinb3403 said in KVM in Production - Build it yourself:

Building a template VM with your backup agent installed might work (urbackup etc) as they'd register to your server.

Buy individual agents is again more than anyone really wants to manage.

I think we have two KVM backup discussions going on, so I'll post a link to my other reply here:

https://mangolassi.it/topic/15826/kvm-and-back-ups/23

@dafyre said in KVM and Back Ups:

@scottalanmiller said in KVM and Back Ups:

@dafyre said in KVM and Back Ups:

@scottalanmiller said in KVM and Back Ups:

@dafyre said in KVM and Back Ups:

In my experience with it, it has often corrupted randomly and to the point that it's own snapshots are no help, nor are VMware Snapshots.

How could it correct VMware snapshots?

I guess it's more that BtrFS doesn't detect the corruption early enough and our VMware snapshot are nothing but snapshots of corrupt data... That's about the only way I can explain it.

General risk with hypervisor level backups. This is a huge reason for either local file based or what I call devops backups. They are at a higher level, so there is way more opportunity for this.

But if the system was okay when you took the VMware snap, it should have been okay when you restored it. Regardless of corruption.

Yeah, exactly.... and this is why Snapshots are not a backup!

Snapshots absolutely are the backup mechanism.

@tim_g said in Beginner's Guide to KVM Administration:

@fateknollogee said in Beginner's Guide to KVM Administration:

@dustinb3403 said in Beginner's Guide to KVM Administration:

ssh-keygen -t rsa
The above generates the rsa keys required to connect without a password.

I'm using ecdsa (instead of rsa) per this info: Choosing an Algorithm & Key Size
ssh-keygen -t ecdsa -b 521

Nice. That's the equivalent to 15,360 bit RSA!

I want to see if e everything I use including GitLab can support that.

From my reading, it should.

@tim_g said in KVM - Virt-Manager on a Separate VM:

@dustinb3403 said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@dustinb3403 said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@dustinb3403 said in KVM - Virt-Manager on a Separate VM:

@jaredbusch said in KVM - Virt-Manager on a Separate VM:

@DustinB3403

I use my user in the libvirt group so I do not have to bother with the root user.

gpasswd -a jbusch libvirt

Then this works.
0_1512760351248_a5ddf1f5-ef56-46e1-b1a7-f9593c68a19c-image.png

Holy fuck it took way to long to get to this point.

So here is the stupid approach. ssh-keygen -t rsa generating. . . . . . . . . The key fingerprint is . . . ssh-copy-id -i /home/user/.ssh/d_rsa.pub user@kvm-server-ip

Login with user@kvm-server-ip password

Test the login

Disconnect from the remote server and run this next bit on your management system.

gpasswd -a username libvirt

Done, and it works.

@JaredBusch thanks for cutting through the bullshit and helping out here.

Wyd you talking about. JARED mentioned that step like 3 posts down from your OP, and it was mentioned several other times as well.

Huh?

Nothing was as simple as what I just did, Jared was getting to the point at the top of the topic, but there were additional steps I was missing (failed to do entirely). So I dumped all of the rsa keys, and started fresh.

The whole thing is taht simple.

generate your ssh keys copy the ssh keys add to libvirt group (mentioned in beginning of thread and every other KVM related thread)

Done. You can break that up into as many sub steps as you want, but that's what you do.

nevermind. . .

That's the entire point i tried to make in my 5-steps before it getting ripped apart for me wanting to use 4096 instead of 2048, and not using ssh-copy-id.

Because you were a twit about it.

@black3dynamite said in Centralized Management of KVM Hosts:

@scottalanmiller said in Centralized Management of KVM Hosts:

@emad-r said in Centralized Management of KVM Hosts:

@tim_g said in Centralized Management of KVM Hosts:

@travisdh1 said in Centralized Management of KVM Hosts:

That looks nightmareish for something that should be quite simple.

oVirt is super simple. They have a live boot ISO ready to go to install.

I dont think it is super simple at all, if you ask me it is big mess. Only usable in big IT corp.

What's difficult about it? In using it, it was just "install and bam, it worked". An SMB would find it far easier than the competition, from what I've used.

Isn’t there a script that can be reused at the end of setup, after installing the first time for quicker deployments?

That's easily possible, but not something that I've noticed.

@fateknollogee said in Server 2008 w Hyper-V infrastructure: needs upgrades!!:

@tim_g said in Server 2008 w Hyper-V infrastructure: needs upgrades!!:

This was on a MD1000, very old.

MD1000...old school! I know those units. I've got 2 of them in storage gathering dust!

I have 2x LSI 620J. I might just connect it with LSI 9207E HBA

If you don't mind the 3 gbps bus, the MD1000s are amazing.

@JaredBusch said in KVM VM Replication:

@scottalanmiller said in KVM VM Replication:

Just using the search is best

Tags.

yeah, having tags on the topics makes them better than pinning.

@scottalanmiller said in Home Network Setup:

@jmoore said in Home Network Setup:

@scottalanmiller said in Home Network Setup:

@dashrender said in Home Network Setup:

The whole crux of my ask was - the desire to buy as few Windows Server CALs as possible.

This is unrelated to the question asked, though.

you know i have noticed you and dash really communicate differently. not good or bad, just different. then you both have trouble understanding the other. from the many threads i have read with you two, that is the common theme i have seen.

I'd assume part of it is that I am highly literal. That tends to be a root of many communications issues for me in general.

yeah i think your right you are literal. i had to adjust my communication with you. that was my fault though, i am used to having to be so unliteral with my users because i would lose them that i got into that bad habit lol. i know for me, i was not explaining my thoughts in a well laid out way and that made me harder to understand and threw you off. did i do better that time?